Shellshock

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
foetz
Moderator
Moderator
Posts: 6594
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Fri Oct 10, 2014 4:10 am

smj wrote:folks coming from Linuxdom and picking up the SGI/IRIX habit will look around for bash pretty quickly. Might as well make it easier for them to indulge their new addiction, rather than creating an obstacle that prevents anybody from joining the club.

hehe yes sure. although not having a specific shell might not keep them away completely. after all people who come from linux to unix/risc do that because they want something different i'd think.
there's not much sense in sticking to bash and gcc on every platform. makes it rather pointless

armanox
Posts: 206
Joined: Sun Feb 23, 2014 9:31 pm
Location: Baltimore, MD, USA

Re: Shellshock

Unread postby armanox » Fri Oct 10, 2014 9:48 am

foetz wrote:
smj wrote:folks coming from Linuxdom and picking up the SGI/IRIX habit will look around for bash pretty quickly. Might as well make it easier for them to indulge their new addiction, rather than creating an obstacle that prevents anybody from joining the club.

hehe yes sure. although not having a specific shell might not keep them away completely. after all people who come from linux to unix/risc do that because they want something different i'd think.
there's not much sense in sticking to bash and gcc on every platform. makes it rather pointless


I'd rather have an up-to-date package for them to use if they so chose, rather then the ancient version on SGI Freeware being the only one.
"Apollo was astonished, Dionysus thought me mad."
:Octane: :Octane: :O2:

armanox
Posts: 206
Joined: Sun Feb 23, 2014 9:31 pm
Location: Baltimore, MD, USA

Re: Shellshock

Unread postby armanox » Fri Oct 10, 2014 10:00 am

I've patched the bash-4.3-source with through .29 (rebuilding with .30 on my octane now). I also have patched bash-4.2-sources (since neko_bash.tardist is 4.2). (Alternate download link from Google Drive)
Attachments
bash-4.3.patched.tar.bz2
GNU bash 4.3 with patch 29
(9.38 MiB) Downloaded 45 times
"Apollo was astonished, Dionysus thought me mad."
:Octane: :Octane: :O2:

User avatar
foetz
Moderator
Moderator
Posts: 6594
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Fri Oct 10, 2014 12:05 pm

armanox wrote:I'd rather have an up-to-date package for them to use if they so chose, rather then the ancient version on SGI Freeware being the only one.

of course

User avatar
ClassicHasClass
Donor
Donor
Posts: 2109
Joined: Wed Jul 25, 2012 7:12 pm
Location: Sunny So Cal
Contact:

Re: Shellshock

Unread postby ClassicHasClass » Fri Oct 10, 2014 6:46 pm

Proud to be a tcsh bigot, but I updated the TenFourFox bash to .30 anyway.
smit happens.

:Fuel: bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze, 175MHz R10000, Solid IMPACT
probably posted from Image bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...

User avatar
Raion-Fox
Donor
Donor
Posts: 1446
Joined: Thu Jan 30, 2014 5:01 pm
Location: near King George, Virginia
Contact:

Re: Shellshock

Unread postby Raion-Fox » Fri Oct 10, 2014 9:54 pm

tcsh is good, but why not zsh? All the features of bash plus ksh plus some.
:O3x02L: R16000 700MHz 8GB RAM kanna
:Octane: R12000 300MHz SI 896MB RAM yuuka
:Octane2: R12000A 400MHz V6 2.5GB RAM
:Indy: (Acclaim) R4600 133MHz XL Graphics 32MB RAM
:Indy: (Challenge S) R4600 133MHz (MIPS III Build Server)

I am probably posting from yangxiaolong, HP Z230 with Xeon E3-1230v3, 16GB RAM, GeForce 750ti, and running NetBSD and Windows 8.1 Embedded.
Owner and operator of http://irix.pw

User avatar
smj
Donor
Donor
Posts: 1666
Joined: Mon Nov 12, 2007 7:54 pm
Location: Berkeley, CA, USA, NA, Earth, Sol
Contact:

Re: Shellshock

Unread postby smj » Sat Oct 11, 2014 12:53 am

TeamBlackFox wrote:tcsh is good, but why not zsh? All the features of bash plus ksh plus some.

I'll speak as a confessed tcsh fan and former consultant/sysadmin - laziness. I took to csh when I first got access to 4.3BSD and SunOS 3 systems, and tcsh was already in circulation - years before I ever heard of zsh, even a couple years before the first version was written at Princeton. And if I have to deal with a system that doesn't have tcsh, it almost always has csh, and all I'd really notice I've lost is command line history and some prompt setting magic.

Now that all shells are everywhere by default, I suppose I'm just a dinosaur not to invest the time... Well, right: laziness. :lol:
Then? :IRIS3130: ... Now? :O3x02L: :A3504L:- :A3502L: :1600SW:+MLA :Fuel: :Octane2: :Octane: :Indigo2IMP: :Indy: ... Other: DEC :BA213: :BA123: Sun, DG AViiON, NeXT :Cube:

User avatar
ClassicHasClass
Donor
Donor
Posts: 2109
Joined: Wed Jul 25, 2012 7:12 pm
Location: Sunny So Cal
Contact:

Re: Shellshock

Unread postby ClassicHasClass » Sat Oct 11, 2014 8:41 am

In my case, tcsh works, is easy to get, doesn't change much, and I'm used to it. It hasn't cheesed me off enough to look at another shell.

Plus, as a product of the University of California, csh syntax is now wired into my brain.
smit happens.

:Fuel: bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze, 175MHz R10000, Solid IMPACT
probably posted from Image bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...

User avatar
josehill
Moderator
Moderator
Posts: 3334
Joined: Mon Jun 06, 2005 9:53 pm
Location: New England, USA
Contact:

Re: Shellshock

Unread postby josehill » Sat Oct 11, 2014 9:54 am

I'm in the same boat as smj and Classy, even though I'm an east coast guy, not a California dude.

The first system I used in earnest used tcsh as the default shell, so that was the first shell I truly learned, instead of merely tinkered with. Now, tcsh just fits like a glove, and I can't remember the last time I needed to do something and I didn't know how to do it with tcsh. There may be shells that are better for some purposes or more feature rich than tcsh, but it's unlikely that the effort required to learn something as well as I currently know tcsh would actually reap sufficient rewards in increased productivity. I have bigger problems than shell selection these days. :)

SAQ
Posts: 5871
Joined: Wed Jul 19, 2006 8:37 am
Location: Renton, WA

Re: Shellshock

Unread postby SAQ » Sat Oct 11, 2014 11:32 am

Another Tenex C/ZSH fan here, too.

Trying to recall what the deal was with writing scripts running on csh. I seem to recall dire warnings of impending doom being circulated at one point, along with reminders to use !#/bin/sh.
"Brakes??? What Brakes???"

"I am O SH-- the Great and Powerful"

:Indigo: :Octane: :Indigo2: :Indigo2IMP: :Indy: :PI: :O3x0: :ChallengeL: :O2000R: (single-CM)

User avatar
smj
Donor
Donor
Posts: 1666
Joined: Mon Nov 12, 2007 7:54 pm
Location: Berkeley, CA, USA, NA, Earth, Sol
Contact:

Re: Shellshock

Unread postby smj » Sat Oct 11, 2014 3:17 pm

SAQ wrote:Trying to recall what the deal was with writing scripts running on csh. I seem to recall dire warnings of impending doom being circulated at one point, along with reminders to use !#/bin/sh.

Yes, that was a very strongly held belief - but after 20 years I'm also having a little trouble remembering why. Based on some sketchy Googling, I'm guessing it's based on SUID use being risky because of how csh selects the home directory to read dot-files from at startup. There may also be something about how the environment is inherited, or how shell variables are initialized...?

If you've got time, it looks like Matt Bishop released an update in 2009 of a security review he did on UNIX in the 80s. Grab a copy of the PDF here. It has some detail on the SUID issue, at minimum.
Then? :IRIS3130: ... Now? :O3x02L: :A3504L:- :A3502L: :1600SW:+MLA :Fuel: :Octane2: :Octane: :Indigo2IMP: :Indy: ... Other: DEC :BA213: :BA123: Sun, DG AViiON, NeXT :Cube:

User avatar
kjaer
Posts: 427
Joined: Wed May 07, 2008 7:47 pm
Location: Seattle, WA
Contact:

Re: Shellshock

Unread postby kjaer » Sat Oct 11, 2014 3:42 pm

setuid is dangerous on any shell script, not just those with csh. but csh is also poor for programming.

http://www-uxsup.csx.cam.ac.uk/misc/csh.html

On another note, I'm always amazed when an experienced UNIX user claims program x can't do y, when what he really means is, he never bothered to find out how. Most frequently, I encounter this around vi ("but I NEED vim to copy & paste!"), but... csh has always had command line history.
:OnyxR: :IRIS3130: :IRIS2400: :Onyx: :ChallengeL: :4D220VGX: :Indigo: :Octane: :Cube: :Indigo2IMP: :Indigo2: :Indy:

robespierre
Posts: 1579
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: Shellshock

Unread postby robespierre » Sat Oct 11, 2014 4:30 pm

i use tcsh as a login shell, but i've never liked it for scripts. just a dim feeling that it wasn't very clean. when i had to write some scripts to recover a lost file, i used ksh.
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
smj
Donor
Donor
Posts: 1666
Joined: Mon Nov 12, 2007 7:54 pm
Location: Berkeley, CA, USA, NA, Earth, Sol
Contact:

Re: Shellshock

Unread postby smj » Sat Oct 11, 2014 4:39 pm

kjaer wrote:but... csh has always had command line history.

More laziness - should I describe it as "interactive access to command history using editing key sequences?" That was what looked like a step backwards from what was available from VMS - doubtless other systems too (TOPS, TENEX, etc), but that was the mini OS I was using immediately prior, and I don't think any of the micro OSes I was using up to that time had it.

But yes, of course csh had command history - one of the primary reasons I preferred csh over sh in the first place was the history, as accessed through constructs like "!23" or "!-2" or "^sh^s" ...
Then? :IRIS3130: ... Now? :O3x02L: :A3504L:- :A3502L: :1600SW:+MLA :Fuel: :Octane2: :Octane: :Indigo2IMP: :Indy: ... Other: DEC :BA213: :BA123: Sun, DG AViiON, NeXT :Cube:

User avatar
foetz
Moderator
Moderator
Posts: 6594
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Sat Oct 11, 2014 5:51 pm

kjaer wrote:setuid is dangerous on any shell script, not just those with csh. but csh is also poor for programming.

http://www-uxsup.csx.cam.ac.uk/misc/csh.html

a classic issue of dispute which, as that page shows, can get very emotional. but fortunately it's quite easy.
if what you wanna do works with csh and you wanna do it with csh then it's fine. otherwise use ksh.


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 2 guests